New Vulnerabilities Found in TPM 2.0 Library That Could be a Potential Threat to Billions of Devices

[TheLostSwede]

A pair of new vulnerabilities has been found in the TPM 2.0 library by cybersecurity company Quarkslab, that has security experts worried, as both of the flaws have potential far reaching implications. The two vulnerabilities go under the CVE identifiers of CVE-2023-1017 and CVE-2023-1018, where the first one allows for out-of-bounds writes, whereas the second one enables out-of-bounds reads, also known as buffer overflow vulnerabilities. This in itself might not sound particularly concerning, but as both can be triggered from user-mode applications, they're a pretty big deal, as it would enable malicious commands to be sent to a TPM 2.0 module, which could in turn enable malicious software to be installed on the device with the TPM 2.0 module.

According to Quarkslab, billions of devices could be affected, as TPM 2.0 authentication modules are used in everything from servers to IoT devices and has been the main hardware-based crypto solution for almost a decade by now. The attacker using the vulnerabilities would have to know what they're doing to be able to take advantage of these two flaws in TPM 2.0, but as it relies on the TPM command interface, there's no easy way to protect against an attack, if someone has gained user access to the system in question. The Trusted Computing Group (TCG) which is in charge of the TPM standard, has already issued an errata which includes instructions on how to address the two vulnerabilities and we're like to see updates from all major hardware vendors as they see fit.



View at TechPowerUp Main Site | Source

 

[Assimilator]

You'd expect that an organisation that's supposed to be about security would be able to write code that does bounds checking properly, but apparently not...

 

[TumbleGeorge]

You'd expect that an organisation that's supposed to be about security would be able to write code that does bounds checking properly, but apparently not...

Oh, it's quite obvious that they are pushing us to buy motherboards and other devices with updated versions of hardware TPM chips. There are no random things, only greed.

 

[ThrashZone]

Hi,
But wait onedrive to the rescue it's just a disposable devise right

 

[lexluthermiester]

A pair of new vulnerabilities have been found in the TPM 2.0 library

Gee golly darn, who saw THIS coming...

You'd expect that an organisation that's supposed to be about security would be able to write code that does bounds checking properly, but apparently not...

Or perhaps proper and complete TESTING before releasing.

 

[catulitechup]

I remember when M$ said TPM 2.0 for more security................and now

 

[Solaris17]

Not bad for a decade of existing I guess. These API libraries after all have nothing to do with MS.

Looks like this might get to be fixed with software though, which is nice. Better than TPM 1.2 hardware sec issue I guess.

 

[A Computer Guy]

Oh, it's quite obvious that they are pushing us to buy motherboards and other devices with updated versions of hardware TPM chips. There are no random things, only greed.

It's a coincidence!

 

[JAB Creations]

Gee, Microsoft who is basically married to the criminal organization masquerading as a "government" pushing TPM 2.0 as a "requirement" for Windows 11 and the device is found to have vulnerabilities?!

 

[sLowEnd]

Gee golly darn, who saw THIS coming...


Or perhaps proper and complete TESTING before releasing.

lol who tests any software or hardware these days? The name of the game is to get a minimum viable product out and maybe patch it later but not really, go buy our new product instead

 

[mechtech]

Trusted Platform Mole.

 

[qlum]

The misunderstanding about TPM is that people think it's about protecting them.
It exists to protect the system against it's users. This could be Microsoft using it as a form of tamper protection, or it could be a corporation protecting it's laptops.
End of the day, it is not really meant to protect the user, nor will it ever be effective for that.

 

[Wirko]

The S in TPM stands for ... aaah-hemm.

 

[A Computer Guy]

Can't wait until TPM with 2FA becomes a thing.

 

[johnspack]

This is why MS wants us to have TPM 2.0? For Win11? Okay. Hmmmm.....

 

[AsRock]

This is why MS wants us to have TPM 2.0? For Win11? Okay. Hmmmm.....

No, MS want you to have it so there is a bigger chance of you needing a new PC. there be a few software fiixes that possibly break stuff then a newer TPM like 2.1 or 3.0 which requires a new OS ha.

 

[lexluthermiester]

No, MS want you to have it so there is a bigger chance of you needing a new PC. there be a few software fiixes that possibly break stuff then a newer TPM like 2.1 or 3.0 which requires a new OS ha.

Regardless of what microsoft claims, there is no good reason for TPM in consumer level PC's. TPM does not help the average PC user in any way. It has the potential to cause serious problems.

So the requirement of TPM is absurd. The only motivation is selling PC's to keep the PC market from collapsing, which was a very real possibility and to some degree still is. The Covid Pandemic has had a number of disruptive effects. While I despise them doing this and how they did it, the reason can be understood, even if it is despicable. There are better ways to do motivate PC sales and upgrades. The boneheads at microsoft simply didn't use their brains for anything more that a seat cushion(looking at you microsoft board of directors).

 

[LabRat 891]

This is just perfect for a Microsoft Sam 'ROFLcopter'

Literally, things were more secure when there was no security in-built and whoever deployed the kit, actually had to know what they were doing...

 

[hat]

"if someone has gained user access" so yet another weird exploit that can screw you when you're already screwed. It's like saying a thief who has stolen your car may be able to start your engine.

 

[P4-630]

So physical local access is needed?

 

[LabRat 891]

So physical local access is needed?

At least from the terms used, no. "User Access" could include a compromised account profile or phished/social engineered credentials.
I still tend to agree w/ hat. If you're already pwned, there's not much stopping full access. However, I could see these kinds of security exploits used to somehow 'get around' User-permissions limitations.

Basically, IMO as a pedestrian home user/enthusiast: This is of little concern.
However, for companies that spent $$$$$$+ on 'highly secure, new msft-approved equipment' might:
A. have something to worry about
B. be miffed as all hell.

 

[VolutedJoker]

No lie, I literally updated to TPM 2.0 last night just to get the free upgrade to Windows 11. SMH

 

[A Computer Guy]

What about AMD CPU based TPM? No problems there or is that an entirely different beast?

 

[LabRat 891]

What about AMD CPU based TPM? No problems there or is that an entirely different beast?

According to the article, it's the whole library/spec.

 

[lexluthermiester]

So physical local access is needed?

Maybe.

No lie, I literally updated to TPM 2.0 last night just to get the free upgrade to Windows 11. SMH

You should have just used a bypass and used 11 anyway. The requirements are just microsoft BS anyway.